On May 18, 2006, at 6:20 PM, Daniel Hartmeier wrote:
On Thu, May 18, 2006 at 04:38:44PM -0400, Chad M Stewart wrote:
set skip on lo0
set skip on $pfsync_if # might not want this
These two lines don't add up, the second one replaces the first,
so lo0 is not really skipped. Use a single set skip line, listing
all interfaces to be skipped at once.
Thank you for catching that.
block in log all
antispoof for $all_if inet
antispoof after a default block is superfluous. It expands to non-
quick
block rules. Any packet that could possibly match them has already
matched your default block rule above.
Probably my overly paranoid ways getting the better of me. :)
The expanded rules also don't have the 'log' option. Try and remove
the
antispoof line and reproduce.
See my other post.
Your first post included the following rule, which I assume is from
the
antispoof expansion:
block drop in on ! carp0 inet from 24.97.84.32/29 to any
This would match your TCP SYN from 24.97.84.33, and block it without
logging, assuming it comes in on any interface but carp0.
You are correct. The packet did match that rule.
Does pf see incoming packets on carp0 again incoming on the real
interface associated with carp0? Try tcpdump'ing on that real
interface.
What I find strange is that
# tcpdump -n -vvv -i rl0 host 24.97.84.35
and
# tcpdump -n -vvv -i carp0 host 24.97.84.35
both show the incoming packet. In my other post I provided the
details of my hostname.* files, rl0 does not have a routable IP bound
to it, only carp0 has a routable IP. Yet in the pflog0 interface,
the interface is always rl0, the physical interface associated with
carp0. Perhaps this is normal and expected.
-Chad
